Bugcrowd Acquires Mayhem to Expand AppSec Testing Platform

Dave Gerry, CEO, Bugcrowd, and David Brumley, CEO, Mayhem Security

Bugcrowd has acquired Mayhem Security—an offensive-security firm led by professor David Brumley of Carnegie Mellon University—to combine AI-powered automated testing with crowdsourced human vulnerability discovery.

Based in San Francisco, Bugcrowd is integrating Mayhem’s Pittsburgh-based automation capabilities with its own human-led platform to deliver end-to-end application security—from autonomous scanning to red-teaming and bug bounties. Bugcrowd’s CEO Dave Gerry said the integration will allow customers to tackle the full AppSec lifecycle more efficiently.

Mayhem, founded in 2012 (formerly ForAllSecure) and backed by a $21 million Series B round, brings reinforcement-learning-based AI that can detect and exploit vulnerabilities in practice-based environments rather than just learning from data. Brumley noted that their platform achieves “100% accuracy” when they claim a bug because they use verified exploits.

The synergy addresses each approach’s shortcomings: automated tools scale but often miss context-heavy issues, while human testers provide edge-case creativity but don’t scale easily. Together, the combined platform gives organizations flexibility to deploy automation for consistency and humans for creativity.

In the short term, Mayhem’s data will feed into Bugcrowd’s interface; over time, Mayhem’s tools will be embedded natively in the platform for a unified workflow. Both companies serve industries like defense, aerospace, finance and tech, working with CISOs and product-security leads.

Gerry said Bugcrowd reviewed 50-60 companies before selecting Mayhem, pointing to expected consolidation in the vulnerability-discovery and crowdsourced-security markets.